GhostNet cyber-spy network busted by Canadians

By Sean Kerner | March 30, 2009

From the 'Is China spying on you?' files:

A massive global spying network, dubbed GhostNet, was uncovered this weekend by researchers at my alma mater ,The University of Toronto. The network was allegedly run by the government of China, and was discovered first by an examination of the Tibetan Dalai Lama's website by the researchers, but is much more widespread than any one site.

"The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries," the report states. "Up to 30 percent of the infected hosts are considered high-value targets and include computers located at the ministries of foreign affairs, embassies, international organizations, news media and NGOs.
"

Allegedly the GhostNet -- which in my view is just another name for a botnet -- infected the hosts by way of a trojan that was delivered by way of a document attachment.

There are a few really interesting aspects to this story. First is the fact that there is a global co-ordinated effort by 'someone' (maybe China but we don't know for sure) to infilitrate global political organizations.

Then there is the fact that this GhostNet was discovered accidentally almost by way of an examination of the Dalai Lama's website (who had requested that the UofT researcher examine his site as his was suspicious of certain activities). It is unclear at this point how long this spying activity has been going on, and it is also unclear if any of the affected parties knew about these issues prior to being informed by the security researchers.

From a security point of view, the GhostNet is particularly disturbing because it should be preventable. You would think that with proper network access controls in place, anti-virus software and firewalls, that trojan sshouldn't be able to infect PCs. We don't know the security posture of all the infected PCs, but if they weren't all properly secured that's pretty scary. If they were secured and they still got infected, that's even scarier.

What is for sure is that botnets and trojans are no longer just the domain of criminals. Trojans are now also a cyber-weapon that can be used by governments (or their agents) for spying operations.